A new, advanced form a phishing dubbed “secured phishing” because it relies on self-signed digital certificates, can easily fool all but the most cautious consumers, a security firm warned Thursday.
The new phish blends traditional elements with the new twist of a self-signed digital certificate, said Larson. It starts the same as most phishing attacks, with spammed e-mails urging recipients to click on a link to update a financial account. The destination is a spoofed version of a real site which requests the consumer enter his or her username and password to verify the information (supposedly because unauthorized access has been detected from an overseas IP address).
But this campaign goes above and beyond the typical. The spoofed site uses the HTTPS protocol so that the browser shows the standard “lock” icon designating a secure site.